ScarCruft (APT37) NarwhalRAT — fake Microsoft OTP lures, compiled-Python RAT, pCloud dead-drop C2

campaign · campaign:scarcruft-narwhalrat

Coverage timeline

first 2026-06-18 → last 2026-06-18

Briefs

1 distinct

Sources cited

4 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-18CTI Daily Brief — 2026-06-18
active_threatsFirst coverage; Genians attribution, MS-OTP lure, scheduled-task persistence

Where this entity is cited

active_threats1

Source distribution

thehackernews.com2 (40%)
genians.co.kr1 (20%)
bleepingcomputer.com1 (20%)
welivesecurity.com1 (20%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
campaigncampaign:teams-external-chat-phishing×1
npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatype×1
ScarCruft (APT37 / Reaper) — North Korea-aligned APT
actoractor:ScarCruft×1

All cited sources (5)

Items in briefs about ScarCruft (APT37) NarwhalRAT — fake Microsoft OTP lures, compiled-Python RAT, pCloud dead-drop C2 (1)

ScarCruft (APT37) delivers NarwhalRAT behind fake Microsoft OTP "security alert" lures

From CTI Daily Brief — 2026-06-18 · published 2026-06-18 · view item permalink →

Genians Security Center attributed a new campaign to ScarCruft / APT37 (North Korea nexus) deploying a previously-undocumented RAT it calls NarwhalRAT (Genians, 2026-06-16). The lure is a spearphishing email impersonating a Microsoft multi-factor authentication / OTP security alert; the attached ZIP carries a Windows shortcut (LNK) that launches PowerShell with -ExecutionPolicy Bypass to pull a batch loader, which establishes persistence via a scheduled task running on a one-minute interval (T1053.005). The payload is a compiled-Python binary loading obfuscated bytecode and providing keylogging (T1056.001), screenshot and audio capture, USB collection and remote command execution; C2 resilience comes from a pCloud dead-drop resolver (T1102.001) that hands out current relay addresses, defeating static domain/IP blocking (The Hacker News, 2026-06-17).

Why it matters to us: APT37 targets government, diplomatic, policy-research and Korean-diaspora organisations, including in Europe. The behavioural chain is hunt-friendly without IOCs: alert on schtasks.exe creating tasks under an unusual Microsoft…-style name from a non-installer parent, on LNK→PowerShell -ExecutionPolicy Bypass execution trees, and on compiled-Python process images making outbound calls to consumer cloud-storage APIs. Treat the cloud dead-drop pattern as the durable detection surface — blocking one relay does not break C2.